[wp-trac] [WordPress Trac] #39941: Allow using Content-Security-Policy without unsafe-inline
WordPress Trac
noreply at wordpress.org
Wed Jul 10 21:23:45 UTC 2019
#39941: Allow using Content-Security-Policy without unsafe-inline
-------------------------------------------------+-------------------------
Reporter: tomdxw | Owner:
| johnbillion
Type: enhancement | Status: accepted
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch needs-refresh 2nd-opinion | Focuses: javascript
-------------------------------------------------+-------------------------
Comment (by epicfaace):
@alinod Good point about nonces and caching. Of course, nonces are already
commonly used in items such as forms on WordPress, and thus already
prevent caching for those pages -- but adding nonces to every single page
would end up negating a lot of the effect of caching, as you said.
So it seems like the two options are 1) calculating static hashes for all
inline scripts used in WordPress core, adding a build process to add these
in to the source code or 2) switching all of WP's inline JS to external
JavaScript instead. At this point, it seems like the latter might be
simpler. What are the main challenges with doing so?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39941#comment:36>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list